Lilia - Virus database is updated daily and updated last night. Still seeing one this morning:
Virus Urlhaus.Malware.364328-9787819-0: https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc: 1 Time(s) Though that is a different signature. Orion On 1/7/21 7:56 AM, Lilia Gonzalez Medina wrote: > Hi Orion! > > Those NBD signatures were updated at the beginning of the week and should not > FP anymore. Please update your ClamAV db and let us know if the issue > persists. > > Best regards, > > Lilia Gonzalez > Malware Research Team > Cisco Talos > > > On Wed, Jan 6, 2021 at 4:59 PM Orion Poplawski <or...@nwra.com > <mailto:or...@nwra.com>> wrote: > > Lilia - > > Thanks for the response. We're seeing some others getting triggered as > well: > > Virus Urlhaus.Malware.490516-9766015-0: > 10.21.2.5 > https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt > <https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt>: 2 > Time(s) > 10.21.2.5 > > https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt > > <https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt>: > 2 Time(s) > 10.21.2.5 > > https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt > > <https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt>: > 1 Time(s) > 10.21.2.5 > > https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt > > <https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt>: > 1 Time(s) > 10.21.2.5 > > https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/10be1f3fc35ff760fb57a10ab7a4ba7feed5d037/urlhaus-filter-online.txt > > <https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/10be1f3fc35ff760fb57a10ab7a4ba7feed5d037/urlhaus-filter-online.txt>: > 1 Time(s) > > Virus Urlhaus.Malware.161756-8797115-0: > 10.10.20.7 > > https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc > > <https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc>: > 1 Time(s) > 10.11.1.3 > > https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc > > <https://addons.cdn.mozilla.net/user-media/addons/607454/ublock_origin-1.32.4-an+fx.xpi?filehash=sha256%3A5b94fd7f749319a6ff6d83dd20b05b29e733446465aff2ab7669499a3e8fb9cc>: > 1 Time(s) > > > Orion > > On 1/4/21 8:43 AM, Lilia Gonzalez Medina wrote: > > Hi Orion! > > > > Thank you for reporting this. URLhaus is a partner that generates a > list of > > ClamAV signatures to target malicious URLs. Signature > > Urlhaus.Malware.452652-9766253-0 looks for a malicious URL inside HTML > > files, which is why it is alerting on the URLs you mentioned. We found > these > > FPs some weeks ago and added an extra check on new ClamAV signatures to > > prevent them from alerting on legitimate URLhaus content. We are > currently > > updating older ClamAV signatures to ensure they don't FP on > non-malicious > > HTML files. > > > > Best regards, > > > > Lilia Gonzalez > > Malware Research Team > > Cisco Talos > > > > On Wed, Dec 23, 2020 at 1:11 PM Orion Poplawski <or...@nwra.com > <mailto:or...@nwra.com> > > <mailto:or...@nwra.com <mailto:or...@nwra.com>>> wrote: > > > > Can anyone give me some details about the > Urlhaus.Malware.452652-9766253-0 > > signature? We're seeing following URLs trigger it: > > > > https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt > <https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt> > > <https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt > <https://curben.gitlab.io/malware-filter/urlhaus-filter-online.txt>> > > > > https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt > > <https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt> > > > > <https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt > > <https://raw.githubusercontent.com/curbengh/urlhaus-filter/master/urlhaus-filter-online.txt>> > > > > https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt > > <https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt> > > > > <https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt > > <https://gitcdn.xyz/cdn/curbengh/urlhaus-filter/c499fcbe5e95f61bbe889f4e3a19d5d2e877e120/urlhaus-filter-online.txt>> > > > > https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt > > <https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt> > > > > <https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt > > <https://cdn.statically.io/gl/curben/urlhaus-filter/master/urlhaus-filter-online.txt>> > > > > https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt > > <https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt> > > > > <https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt > > <https://cdn.jsdelivr.net/gh/curbengh/urlhaus-filter/urlhaus-filter-online.txt>> > > > > Which seems to be the online update URLs for the urlhaus filter. > Does > > ClamAV > > deem urlhaus a bad actor? > > > > Thanks, > > Orion > > > > -- > > Orion Poplawski > > Manager of NWRA Technical Systems 720-772-5637 > > NWRA, Boulder/CoRA Office FAX: 303-415-9702 > > 3380 Mitchell Lane or...@nwra.com > <mailto:or...@nwra.com> > > <mailto:or...@nwra.com <mailto:or...@nwra.com>> > > Boulder, CO 80301 https://www.nwra.com/ > <https://www.nwra.com/> > > <https://www.nwra.com/ <https://www.nwra.com/>> > > > > _______________________________________________ > > > > clamav-users mailing list > > clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net> > <mailto:clamav-users@lists.clamav.net > <mailto:clamav-users@lists.clamav.net>> > > https://lists.clamav.net/mailman/listinfo/clamav-users > <https://lists.clamav.net/mailman/listinfo/clamav-users> > > <https://lists.clamav.net/mailman/listinfo/clamav-users > <https://lists.clamav.net/mailman/listinfo/clamav-users>> > > > > > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > <https://github.com/vrtadmin/clamav-faq> > > <https://github.com/vrtadmin/clamav-faq > <https://github.com/vrtadmin/clamav-faq>> > > > > http://www.clamav.net/contact.html#ml > <http://www.clamav.net/contact.html#ml> > > <http://www.clamav.net/contact.html#ml > <http://www.clamav.net/contact.html#ml>> > > > > > > _______________________________________________ > > > > clamav-users mailing list > > clamav-users@lists.clamav.net <mailto:clamav-users@lists.clamav.net> > > https://lists.clamav.net/mailman/listinfo/clamav-users > <https://lists.clamav.net/mailman/listinfo/clamav-users> > > > > > > Help us build a comprehensive ClamAV guide: > > https://github.com/vrtadmin/clamav-faq > <https://github.com/vrtadmin/clamav-faq> > > > > http://www.clamav.net/contact.html#ml > <http://www.clamav.net/contact.html#ml> > > > -- > Orion Poplawski > Manager of NWRA Technical Systems 720-772-5637 > NWRA, Boulder/CoRA Office FAX: 303-415-9702 > 3380 Mitchell Lane or...@nwra.com > <mailto:or...@nwra.com> > Boulder, CO 80301 https://www.nwra.com/ > <https://www.nwra.com/> > > -- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane or...@nwra.com Boulder, CO 80301 https://www.nwra.com/
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml